Activity Access Controls

What are activity access controls?

Activity access controls are rules that govern access to your Uptempo Campaign Management activities and their associated data.

As an administrator, you can use access controls to define who (users) can access what (activities and their data) and how (the permitted actions). For example, you can create access controls to ensure users can only make changes to activities within their department or region, or to prevent specific users from seeing any details at all about certain activities.

By creating access controls and assigning them to your users, you can ensure that users only have access to the activity details and functionality they need. This helps to protect sensitive or privileged information, and maintains data integrity by preventing unauthorized changes.

How do activity access controls work?

Uptempo Campaign Management uses the "deny by default" principle for activity access control, which means that users have no access to any activity by default. Instead, administrators must grant users explicit permission to access and interact with activities. To do this, administrators create policies and statements that define these permissions and apply them to users.

Policies

To grant access permissions to users, you first create policies. Each policy defines a particular set of access permissions. You can then link users to policies to grant them the associated access permissions.

Whenever a user makes an access request in Uptempo Campaign Management, the access control system dynamically decides whether to grant or deny the request, using this process:

A user requests access to an activity.
The system retrieves all of the access control policies that the user is linked to.
The system evaluates the policies to decide whether the user has permission to receive the requested access.
The system grants or denies access based on the outcome of the evaluation.

For example, say a user opens the Details view of a particular activity: if the user's policies give permission to see the activity's details, the system will display those details to the user; otherwise, the system hides the details from the user.

Statements

To define the exact permissions that a policy grants, you create statements. A policy can contain one or multiple statements, and each statement defines a particular scope of access: for example, a statement might grant full access to create, edit, or delete all activities, or it might only grant access to view activities of a specified type.

Statements are additive, which means a policy grants the sum of all its statements added together. In cases where two applicable statements have an overlapping scope (e.g. the same activity type), that means that the statement which grants more access is the one that will take effect. Additionally, users can be linked to multiple policies, so users are granted the sum of the statements across all of the policies they are linked to.

Note

"Requesting access" consists of both actions that the user actively performs, as well as implied requests that the user may not even be aware of. To ensure both data security and a seamless user experience, the system is designed to adjust its behavior in a way that is transparent to the user based on their permissions.

For example, if a user has view permission but not edit permission for an activity, the system does not wait until the user tries to make a change to the activity — instead, the system proactively hides the Edit buttons on the activity for that user.

How are activity access control statements structured?

Uptempo's activity access controls are based on the Attribute-Based Access Control (ABAC) model.

An ABAC access control system makes access decisions by evaluating the characteristics (attributes) of the users and resources involved in an access control request. As a result, Uptempo Campaign Management's activity access control statements are structured around attributes of users and activities.

What is Attribute-Based Access Control (ABAC)?

To understand how Uptempo's activity access controls work, it's helpful to understand some basics about Attribute-Based Access Control (ABAC).

Like all access control models, ABAC is centered around the concept of protecting resources by deciding which users are allowed to perform specific actions on those resources:

Resources are the objects that the ABAC system is protecting. In Uptempo Campaign Management, these are your activities and their data.
Users are the entities who are requesting access to the resources. In Uptempo Campaign Management, these are user accounts with access to Uptempo Campaign Management (the Activities section).
Actions are the operations that users are requesting to perform on a resource, such as viewing, creating, editing, deleting, etc. In Uptempo Campaign Management, these actions include the basic user operations such as viewing or creating an activity, but can also be defined more specifically: for example, placing an activity in the hierarchy as a child of another activity is an action that can be defined and controlled.

When a user makes a request to the system to perform an action on a resource, the ABAC system looks at the attributes of the user and resource involved:

Attributes are characteristics of the entities involved: the user who is making the request, and the resource involved in the request. In Uptempo Campaign Management, these are typically properties of activities, such as the activity type (user properties are not currently supported as ABAC attributes).

The ABAC system then looks at the user's policies, and the statements they contain. Each statement is a rule that defines certain attribute-based requirements, and specifies an access control effect (allow or deny) that is applied when these requirements are met.

To make an access control decision, the ABAC system compares the attributes of the user and the requested resource, and evaluates them against the user's access control policies. If the user is linked to a policy that defines a statement for the attributes involved, the ABAC system grants (or denies) access accordingly.

Example

Let's say a user has an access control statement that says:

"ALLOW users in the location EUROPE to VIEW resources with the type DOCUMENT."

If that user makes an access request where:

The requested Action is: VIEW
The user's Location attribute is: EUROPE
The resource's Type attribute is: DOCUMENT

Then this statement would take effect, because all of the statement's requirements are met by the access request. As a result, the access control system applies the effect specified by the statement (ALLOW), and grants access.

If any of the statement's requirements were not met (for example, if the requested action is EDIT), the statement would not apply. In this case, assuming the user has no other statements that are applicable to the request, the access control system denies access.

Structure of activity access control statements

In Uptempo, the basic structure of an access control statement consists of four properties:

Effect (required): The effect the statement has when it applies to an access request, i.e. whether the statement allows or denies access.
Action (required): The operation that the user is requesting to perform on the resource, e.g. view, create, etc.
Resource (required): The type of object that the user is requesting to perform the action on, i.e. an activity type.
Conditions (optional): Additional conditions to define the resource with greater granularity, based on activity attribute values (e.g. activities where a specified activity attribute has a particular value).

You construct statements by using the Statement Editor to define each property. Completed statements are represented as sentences that summarize the access scope of the statement. For example:

ALLOW View access for any Activity

→ This statement allows users to view activities of all types.

If a statement contains conditions, this is indicated in the statement summary, along with the number of applicable conditions. For example:

ALLOW All actions for any Activity that meets the specified conditions: Conditions (2)

→ This statement allows users to perform any action on activities that meet certain conditions.

You can click on Conditions to view the conditions on the statement. The conditions are listed individually, like this:

ALLOW All actions for any Activity where:

Objective is one of Lead Nurturing, Brand Awareness
Activity Type is Tactic

→ This statement allows users to perform any action on any activity that has the activity type "Tactic", and has its Objective attribute set to either "Lead Nurturing" or "Brand Awareness".

Conditions can be set based on matching either a single value with operator "is", or on matching one of multiple values with the operator "is one of".

Note

If multiple conditions are specified within a statement, the individual conditions are logically evaluated with an AND operator. This means that all conditions specified must be met for the statement to apply.

If you need to create conditions that should be evaluated with an OR operator, you can do this by placing them in separate statements. This is because statements are additive, separate statements are evaluated with an OR operator: if there are two applicable statements, the requirements of either Statement A or Statement B can be met.

What types of properties do activity access controls support?

Activity access control permissions are defined based on four properties: Users, Effects, Actions, and Resources. Each of these properties contains various types: for example, the Users object contains users (individual users) and teams (groups of users).

At present, activity access controls do not yet have support for all available types within each property. This means that activity access controls support certain kinds of configurations today, with more to be added in the future. For a full list of supported capabilities, see Reference: Access Control Statement Properties.

Next steps

To learn how to create, configure, and manage access control policies and statements, see Managing Access Control for Activities.